chapterhouse 0.8.1 → 0.9.0

package/dist/api/korg.js

@@ -1,8 +1,8 @@
 import { sendToAgentSession } from "../copilot/orchestrator.js";
 export async function routeKorgMessage(input) {
     const message = input.message.trim();
-    const sessionId = input.session_id?.trim() || `korg-${Date.now()}`;
-    const sessionName = input.session_id?.trim() || message.slice(0, 80).trim() || sessionId;
+    const sessionId = input.sessionKey?.trim() || `korg-${Date.now()}`;
+    const sessionName = input.sessionKey?.trim() || message.slice(0, 80).trim() || sessionId;
     const prompt = [
         "Handle this request as Korg via the API.",
         `Research session id: ${sessionId}`,
@@ -13,7 +13,7 @@ export async function routeKorgMessage(input) {
         message,
     ].join("\n");
     const reply = await sendToAgentSession("korg", prompt);
-    return { ok: true, session_id: sessionId, reply };
+    return { ok: true, sessionKey: sessionId, reply };
 }
 export function listKorgResearchSessions(db) {
     return db.prepare(`
@@ -21,8 +21,8 @@ export function listKorgResearchSessions(db) {
       session_id AS id,
       COALESCE(NULLIF(TRIM(session_name), ''), session_id) AS name,
       COUNT(*) AS source_count,
-      0 AS open_questions,
-      MAX(ingested_at) AS last_activity
+      0 AS open_questions_count,
+      MAX(ingested_at) AS last_activity_at
     FROM wiki_sources
     WHERE status = 'active'
       AND session_id IS NOT NULL

package/dist/api/korg.test.js

@@ -13,7 +13,7 @@ test("routeKorgMessage creates a research session id and delegates to the persis
     const mod = await import(new URL(`./korg.js?case=${Date.now()}-${Math.random()}`, import.meta.url).href);
     const result = await mod.routeKorgMessage({ message: "Research local-first PKB patterns." });
     assert.equal(result.ok, true);
-    assert.match(result.session_id, /^korg-/);
+    assert.match(result.sessionKey, /^korg-/);
     assert.equal(result.reply, "Korg reply");
     assert.deepEqual(calls, [{
             slug: "korg",
@@ -33,8 +33,8 @@ test("routeKorgMessage preserves an existing research session id in the delegate
         },
     });
     const mod = await import(new URL(`./korg.js?case=${Date.now()}-${Math.random()}`, import.meta.url).href);
-    const result = await mod.routeKorgMessage({ message: "Add two more sources.", session_id: "compiler-research" });
-    assert.equal(result.session_id, "compiler-research");
+    const result = await mod.routeKorgMessage({ message: "Add two more sources.", sessionKey: "compiler-research" });
+    assert.equal(result.sessionKey, "compiler-research");
     assert.equal(result.reply, "Continuing session");
     assert.match(prompt, /compiler-research/);
     assert.match(prompt, /Add two more sources\./);

package/dist/api/route-coverage.test.js

@@ -0,0 +1,225 @@
+// Route & SSE coverage — static analysis CI safeguard (P0 remediation, issue #369)
+//
+// Coverage status as of 2026-05-15:
+// ──────────────────────────────────────────────────────────────────────────────
+// GET    /api/wiki/pages            — tested (server.test.ts: coerced updated, frontmatter)
+// GET    /api/wiki/browser-pages    — tested (server.test.ts: browser contract, orphan fallback)
+// GET    /api/wiki/sources          — tested (server.test.ts: empty payload, page filter)
+// GET    /api/wiki/links            — tested (server.test.ts: all links, empty, page filter)
+// GET    /api/wiki/page             — tested (server.test.ts: CRUD, welcome page synthesis, 404)
+// PUT    /api/wiki/page             — tested (server.test.ts: wiki CRUD create flow)
+// DELETE /api/wiki/page             — tested (server.test.ts: wiki CRUD delete flow)
+// GET    /api/wiki/search           — NOT tested (add in Phase 3c)
+// POST   /api/wiki/update           — static auth guard tested below
+// POST   /api/wiki/page/pin         — auth + traversal guard tested
+// POST   /api/wiki/ingest           — NOT tested (add in Phase 3c)
+// GET    /api/wiki/korg/sessions    — NOT tested (add in Phase 3c)
+// POST   /api/wiki/korg             — NOT tested (add in Phase 3c)
+// ──────────────────────────────────────────────────────────────────────────────
+import { describe, test } from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const ROOT = join(__dirname, "..", "..");
+const FRONTEND_API_PATH = join(ROOT, "web", "src", "api.ts");
+const SERVER_TS_PATH = join(ROOT, "src", "api", "server.ts");
+const WEB_SCHEMAS_PATH = join(ROOT, "src", "shared", "api-schemas.ts");
+/**
+ * Normalise a URL path for comparison:
+ *  - Replace complete template-literal expressions  ${...}  with  :param
+ *  - Strip incomplete trailing template expressions (e.g. `${query ` cut by `?`)
+ *  - Replace Express named params  :slug  with  :param
+ *  - Strip trailing slashes
+ */
+function normalizePath(raw) {
+    return raw
+        .replace(/\$\{[^}]*\}/g, ":param") // complete ${...} → :param
+        .replace(/\$\{[^}]*$/, "") // trailing incomplete ${...  (cut by `?` in regex)
+        .replace(/:[a-zA-Z_][a-zA-Z0-9_]*/g, ":param") // :slug → :param
+        .replace(/\/+$/, "") // strip trailing slash
+        .trim();
+}
+/**
+ * Extract all unique normalised API paths called via authedFetch() in the
+ * frontend api.ts. Only static string / template-literal arguments are
+ * detected — calls that pass a pre-constructed variable are skipped.
+ */
+function extractFrontendPaths(src) {
+    // Matches authedFetch( then an opening quote/backtick then /api/...
+    // Stops at the same quote character, or at `?` (query string start).
+    const re = /authedFetch\(["'`](\/api\/[^"'`?]+)/g;
+    const paths = new Set();
+    for (const m of src.matchAll(re)) {
+        const normalised = normalizePath(m[1]);
+        if (normalised) {
+            paths.add(normalised);
+        }
+    }
+    return paths;
+}
+/**
+ * Extract all unique normalised API paths registered via app.METHOD() in
+ * server.ts. Only /api/ prefixed paths are considered.
+ */
+function extractServerPaths(src) {
+    const re = /app\.(get|post|put|delete|patch)\(["'`](\/api\/[^"'`?]+)/g;
+    const paths = new Set();
+    for (const m of src.matchAll(re)) {
+        const normalised = normalizePath(m[2]);
+        if (normalised) {
+            paths.add(normalised);
+        }
+    }
+    return paths;
+}
+/**
+ * Extract SSE type literals emitted inline via formatSseData({ type: "X", ... })
+ * in server.ts. Pass-through calls like formatSseData(event) are not detected.
+ */
+function extractSseDataTypes(src) {
+    // Allow up to ~200 chars between `formatSseData({` and `type: "X"` to
+    // handle multi-line object literals (queued, queue-advance, etc.).
+    const re = /formatSseData\(\{[\s\S]{0,200}?type:\s*["']([^"']+)["']/g;
+    const types = new Set();
+    for (const m of src.matchAll(re)) {
+        types.add(m[1]);
+    }
+    return types;
+}
+/**
+ * Extract the first argument (event name) from all formatSseEvent("name", ...)
+ * calls in server.ts.
+ */
+function extractSseEventNames(src) {
+    const re = /formatSseEvent\(["']([^"']+)["']/g;
+    const names = new Set();
+    for (const m of src.matchAll(re)) {
+        names.add(m[1]);
+    }
+    return names;
+}
+/**
+ * Extract the `type` literal values from StreamEventSchema in web/src/api-schemas.ts
+ * by scanning for `type: z.literal("X")` patterns.
+ *
+ * These are the only valid SSE frame types the frontend will parse via the
+ * default `message` EventSource handler.
+ */
+function extractStreamEventSchemaTypes(src) {
+    // Locate the StreamEventSchema block first so we don't accidentally pick up
+    // literals from other schemas.
+    const startIdx = src.indexOf("export const StreamEventSchema");
+    if (startIdx === -1) {
+        throw new Error("StreamEventSchema not found in src/shared/api-schemas.ts");
+    }
+    // Take a generous slice (10 000 chars) — the schema is large but finite.
+    const block = src.slice(startIdx, startIdx + 10_000);
+    const re = /type:\s*z\.literal\(["']([^"']+)["']\)/g;
+    const types = new Set();
+    for (const m of block.matchAll(re)) {
+        types.add(m[1]);
+    }
+    return types;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Tests
+// ─────────────────────────────────────────────────────────────────────────────
+describe("route coverage — static analysis", () => {
+    test("all frontend authedFetch paths have a matching server route registration", () => {
+        const frontendSrc = readFileSync(FRONTEND_API_PATH, "utf8");
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const frontendPaths = extractFrontendPaths(frontendSrc);
+        const serverPaths = extractServerPaths(serverSrc);
+        const missing = [];
+        for (const fp of [...frontendPaths].sort()) {
+            if (!serverPaths.has(fp)) {
+                missing.push(fp);
+            }
+        }
+        assert.ok(missing.length === 0, `Frontend calls ${missing.length} route(s) with no matching server registration:\n` +
+            missing.map((p) => `  MISSING: ${p}`).join("\n") +
+            "\n\nAdd the missing route(s) to src/api/server.ts");
+    });
+    test("server routes cover every unique normalised path (no obvious duplicates leaked)", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const serverPaths = extractServerPaths(serverSrc);
+        // Sanity: the server must expose at least 30 /api/ routes.
+        assert.ok(serverPaths.size >= 30, `Expected ≥30 server routes, found ${serverPaths.size}. Check extractServerPaths regex.`);
+    });
+});
+describe("wiki write route safeguards — static analysis", () => {
+    test("wiki update and pin routes declare authMiddleware explicitly", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        assert.match(serverSrc, /app\.post\("\/api\/wiki\/update",\s*authMiddleware,\s*async \(req: Request, res: Response\) => \{/);
+        assert.match(serverSrc, /app\.post\("\/api\/wiki\/page\/pin",\s*authMiddleware,\s*async \(req: Request, res: Response\) => \{/);
+    });
+});
+describe("SSE exhaustiveness — static analysis", () => {
+    // ───────────────────────────────────────────────────────────────────────────
+    // REGRESSION CANARY for issues #367 / #368:
+    //
+    // `formatSseEvent("status", payload)` generates an SSE *named event*:
+    //   event: status\ndata: {...}\n\n
+    //
+    // The frontend's EventSource only handles the default `message` event.
+    // Named events are silently dropped — the frontend never sees them.
+    //
+    // If any future code adds `formatSseEvent("X", ...)` where "X" is also a
+    // type in StreamEventSchema, this test FAILS, preventing the regression.
+    // ───────────────────────────────────────────────────────────────────────────
+    test("formatSseEvent is not used with names that belong in the StreamEventSchema data channel", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const namedEventNames = extractSseEventNames(serverSrc);
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        const conflicts = [];
+        for (const name of namedEventNames) {
+            if (schemaTypes.has(name)) {
+                conflicts.push(name);
+            }
+        }
+        assert.ok(conflicts.length === 0, `formatSseEvent() is being used with name(s) that are also StreamEventSchema types:\n` +
+            conflicts.map((n) => `  CONFLICT: formatSseEvent("${n}", ...) — must use formatSseData({ type: "${n}", ... }) instead`).join("\n") +
+            "\n\nNamed SSE events are silently dropped by the frontend's default 'message' handler (issues #367/#368).");
+    });
+    test("all inline formatSseData type literals are known StreamEventSchema types or agent-stream-only types", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const emittedTypes = extractSseDataTypes(serverSrc);
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        // Types emitted only on /api/agents/stream — not part of the main chat
+        // StreamEventSchema but intentional (received by a separate subscriber).
+        const agentStreamOnlyTypes = new Set(["agent_event"]);
+        const unknown = [];
+        for (const t of [...emittedTypes].sort()) {
+            if (!schemaTypes.has(t) && !agentStreamOnlyTypes.has(t)) {
+                unknown.push(t);
+            }
+        }
+        assert.ok(unknown.length === 0, `formatSseData emits type(s) not present in StreamEventSchema:\n` +
+            unknown.map((t) => `  UNKNOWN: "${t}"`).join("\n") +
+            "\n\nEither add these to StreamEventSchema in src/shared/api-schemas.ts, " +
+            "or add them to the agentStreamOnlyTypes allowlist in this test.");
+    });
+    test("StreamEventSchema covers at least the core chat stream types", () => {
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        const required = [
+            "connected",
+            "delta",
+            "message",
+            "cancelled",
+            "status",
+            "queued",
+            "activity",
+            "queue-advance",
+            "turn-interrupted",
+        ];
+        const missing = required.filter((t) => !schemaTypes.has(t));
+        assert.ok(missing.length === 0, `StreamEventSchema is missing expected type(s): ${missing.join(", ")}\n` +
+            "These types were removed or renamed — update the schema and this test together.");
+    });
+});
+//# sourceMappingURL=route-coverage.test.js.map